9963c98376d1e76c9b80a8fcce26b7e00242c9ba2aee16670d967c30f0403c6d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 01:50

Target

0aad0a2c1da1fa2c52408cc9f1647235.exe
Size

209KB
MD5

0aad0a2c1da1fa2c52408cc9f1647235
SHA1

8cc575131b600d56d6a956a88ed75ce3e85e753b
SHA256

9963c98376d1e76c9b80a8fcce26b7e00242c9ba2aee16670d967c30f0403c6d
SHA512

fca0bd850222352acbd1eb9ee42ff385f47d9e82132af43f7be5fcc3a7214fc303d7763a414b3b615be410cc3b13441a8b7040e1cbb47ad07da6f7aba67c0190
SSDEEP

6144:qli50Pn19AFu/0xO7Qsvg1mBmwDmKaP1JBJ9Z:k19AFu/HRvgNEmKaTV

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
556	u.dll
2312	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5004	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 3196	4876	0aad0a2c1da1fa2c52408cc9f1647235.exe	96
PID 4876 wrote to memory of 3196	4876	0aad0a2c1da1fa2c52408cc9f1647235.exe	96
PID 4876 wrote to memory of 3196	4876	0aad0a2c1da1fa2c52408cc9f1647235.exe	96
PID 3196 wrote to memory of 556	3196	cmd.exe	95
PID 3196 wrote to memory of 556	3196	cmd.exe	95
PID 3196 wrote to memory of 556	3196	cmd.exe	95
PID 556 wrote to memory of 2312	556	u.dll	90
PID 556 wrote to memory of 2312	556	u.dll	90
PID 556 wrote to memory of 2312	556	u.dll	90
PID 3196 wrote to memory of 3368	3196	cmd.exe	92
PID 3196 wrote to memory of 3368	3196	cmd.exe	92
PID 3196 wrote to memory of 3368	3196	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\0aad0a2c1da1fa2c52408cc9f1647235.exe
"C:\Users\Admin\AppData\Local\Temp\0aad0a2c1da1fa2c52408cc9f1647235.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4788.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3196

C:\Users\Admin\AppData\Local\Temp\47E6.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\47E6.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe47E7.tmp"
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Users\Admin\AppData\Local\Temp\4788.tmp\vir.bat

Filesize
2KB

MD5
da54df76fcc63bcea17f98b86ae5cfaa

SHA1
2161a999ea0c07a66104a711d1a47d24ecf8ee28

SHA256
6be4d87de9293c10e7e901bd72714dd1e6627577531039b4fbbd28fce89d32d4

SHA512
f86ea4f09a187dd51c604ca16ab7a18cacaa1c51fceee9ae207a607246a10c25c93b628e80b5296697b9dc2fec54c2958caa9f9e4e6a7a6539da8c5aa4c80da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
84b76845654285a13592c9e42b2f8b8a

SHA1
af1373a5c315f3fc3fb18d88ad4c28f6938de640

SHA256
635da8f03b922a520ffb1ad9c4e8c460822cec92bc02c14da4d2455ba0300242

SHA512
a0c1e791d4f571b27f34f37529ac0391557f08edf6feaa9866117924a6e2c0a5eae0c9f88f79f570321676b6fa630933f301324f08915ad13825ce76d7aef33d

Download Submit
memory/2312-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4876-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4876-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download